Customer Assurance Portal Group

Explained: Symantec's Product Assurance Resources 

07-10-2019 02:09 PM

Symantec maintains a set of industry standard resources to help provide our customers with assurance that the products they are purchasing or consuming meet a high standard in regard to security and privacy. Below is an explantion of the importance of each of these resources.


A Standard Information Gathering (SIG) questionnaire gathers information to determine how security risks are managed across a spectrum of 18 risk control areas, or “domains”, within a service provider’s environment. A Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider.

Penetration Test

A penetration test report is typically generated by a trusted third party who has conducted simulation testing on an application and/or infrastructure with the objective to identify weaknesses that may be exploited by an adversary. The full report will typically include the scope and method of testing as well a risk evaluation and the identification of vulnerabilities. Full test reports are classified ‘Internal Use Only’ documents however a redacted report may be shared on request.

ISO 27001

ISO27001 is a certification which determines an organization’s conformity of their information security management system (ISMS) to the ISO 27001 standard. Once certification has been achieved it is valid for three years before recertification is required. A Statement of Applicability (SoA) defines which of the suggested 114 controls (security measures) from the ISO 27001 standard you will apply, and for those that are applicable the way they will be implemented. This is generally internal-only and can only be shared under special circumstances.


A Service Organization Controls (SOC 1) report is an attestation report on controls at a service organization which are relevant to user entities’ internal control over financial reporting. It will an opinion letter from the service organization audit firm, a trusted third party.


A Service Organization Controls (SOC 2) report is an attestation report assessing internal controls in place at a service organization to meet the criteria as it relates to the security, availability, processing integrity, confidentiality and/or privacy trust services principles. The report will contain an opinion letter from the service organization audit firm, an assertion letter from the service organization’s management, a system description containing an extensive narrative on the five key components of the organization’s system under review (e.g. infrastructure, software, people, procedures, and data) as well as organizational-level procedures, and finally the applicable trust services criteria, related control activities, and the testing performed by the service auditor and the related test results.

A Type I report refers to a point-in-time and test the design of a service organization’s controls, but not the operating effectiveness. A Type II report refers to an attestation over a period of time (6-12 months) including the observation of operating effectiveness. These reports are valid for 12 months from the report date at which point re-assessment is required. An Engagement Letter may be generated by the assessor as evidence that a re-assessment is in place. A Bridge or Gap Letter may also be generated by the assessor to attest that the organization is compliant over a defined interim period prior to a new report being provided.


A Service Organization Controls (SOC 3) report is a reduced version of a SOC 2 report and is intended for a general audience.


The Payment Card Industry Data Security Standard (PCI-DSS) is a set of criteria applicable to organisations that accept, store, transmit or process cardholder data. An Attestation of Compliance (AoC) is a report declaring the results of an assessment of an organisations controls against the standard. In most cases, Symantec products do not accept, store, transmit or process cardholder data. 


FedRAMP authorization provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by the US government. Because its goal is to protect US citizen data in the cloud, it is government’s most rigorous security compliance framework. A portal of FedRAMP approved services can be found here, as Symantec products become in process of certification they will appear there.


Go back to the Customer Assurance Portal Home Page.

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.